skip to main content
10.1145/2187836.2187879acmotherconferencesArticle/Chapter ViewAbstractPublication PagesthewebconfConference Proceedingsconference-collections
research-article

Is this app safe?: a large scale study on application permissions and risk signals

Published: 16 April 2012 Publication History

Abstract

Third-party applications (apps) drive the attractiveness of web and mobile application platforms. Many of these platforms adopt a decentralized control strategy, relying on explicit user consent for granting permissions that the apps request. Users have to rely primarily on community ratings as the signals to identify the potentially harmful and inappropriate apps even though community ratings typically reflect opinions about perceived functionality or performance rather than about risks. With the arrival of HTML5 web apps, such user-consent permission systems will become more widespread. We study the effectiveness of user-consent permission systems through a large scale data collection of Facebook apps, Chrome extensions and Android apps. Our analysis confirms that the current forms of community ratings used in app markets today are not reliable indicators of privacy risks of an app. We find some evidence indicating attempts to mislead or entice users into granting permissions: free applications and applications with mature content request more permissions than is typical; 'look-alike' applications which have names similar to popular applications also request more permissions than is typical. We also find that across all three platforms popular applications request more permissions than average.

References

[1]
A. Acquisti and R. Gross. Imagined communities: Awareness, information sharing, and privacy on the facebook. In G. Danezis and P. Golle, editors, Privacy Enhancing Technologies, volume 4258 of Lecture Notes in Computer Science, pages 36--58. Springer, 2006.
[2]
Android Developer's Guide -- Manifest Permissions. http://developer.android.com/reference/android/Manifest.permission.html.
[3]
Android Market. https://market.android.com.
[4]
AppBrain. http://www.appbrain.com.
[5]
D. Barrera, W. Enck, and P. C. van Oorschot. Seeding a Security-Enhancing Infrastructure for Multi-market Application Ecosystems. Technical report, Carleton University, April 2011. TR-11-06.
[6]
D. Barrera, P. C. van Oorschot, and A. Somayaji. A Methodology for Empirical Analysis of Permission-Based Security Models and its Application to Android Categories and Subject Descriptors. In Proc. of the 17th ACM conf. on Computer and Communications Security, CCS '10, pages 73--84. ACM, 2010.
[7]
J. Bonneau, J. Anderson, and L. Church. Privacy suites: shared privacy for social networks. In Proc. of the 5th Symposium on Usable Privacy and Security, SOUPS '09. ACM, 2009.
[8]
P. H. Chia, A. P. Heiner, and N. Asokan. Use of ratings from personalized communities for trustworthy application installation. In Proc. of the 15th Nordic conf. in Secure IT Systems, NordSec '10, 2010.
[9]
P. H. Chia and S. J. Knapskog. Re-evaluating the wisdom of crowds in assessing web security. In G. Danezis, editor, Financial Cryptography and Data Security, FC '11, volume 7035 of Lecture Notes in Computer Science, pages 299--314. Springer, 2012.
[10]
F. Cohen. Computational aspects of computer viruses. Computers & Security, 8(4):297--298, 1989.
[11]
F. J. Damerau. A technique for computer detection and correction of spelling errors. Communications of the ACM, 7:171--176, March 1964.
[12]
W. Enck, M. Ongtang, and P. McDaniel. On lightweight mobile phone application certification. In Proc. of the 16th ACM conf. on Computer and Communications Security, CCS '09, pages 235--245. ACM, 2009.
[13]
Facebook Developers -- Permissions. https://developers.facebook.com/docs/reference/api/permissions/.
[14]
Facebook partners with WOT. Article on ArcticStartup website, May 2011. http://www.arcticstartup.com/2011/05/12/facebook-partners-with-wot-to-protect-its-700-million-users.
[15]
A. P. Felt. Personal Communication.
[16]
A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner. Android permissions demystified. In Proc. of the 18th ACM conf. on Computer and Communications Security, CCS '11, pages 627--638. ACM, 2011.
[17]
A. P. Felt, K. Greenwood, and D. Wagner. The effectiveness of application permissions. In Proc. of the 2nd USENIX conf. on Web application development, WebApps '11. USENIX Association, 2011.
[18]
Google Chrome Extensions -- Permission Warnings. http://code.google.com/chrome/extensions/permission_warnings.html.
[19]
Google Chrome Web Store -- Extensions. https://chrome.google.com/webstore?category=ext.
[20]
J. King, A. Lampinen, and A. Smolen. Privacy: Is there an app for that? In Proc. of the 7th Symposium on Usable Privacy and Security, SOUPS '11, pages 12:1--12:20. ACM, 2011.
[21]
K. Kostiainen, E. Reshetova, J.-E. Ekberg, and N. Asokan. Old, new, borrowed, blue --: a perspective on the evolution of mobile platform security architectures. In Proc. of the 1st ACM conf. on Data and Application Security and Privacy, CODASPY '11, pages 13--24. ACM, 2011.
[22]
V. I. Levenshtein. Binary codes capable of correcting deletions, insertions, and reversals. Soviet Physics Doklady, 10(8):707--710, 1966.
[23]
M. Marsall. How HTML5 will kill the native app. Article on VentureBeat website, April 2011. http://venturebeat.com/2011/04/07/how-html5-will-kill-the-native-app/.
[24]
T. Moore and B. Edelman. Measuring the perpetrators and funders of typosquatting. In R. Sion, editor, Financial Cryptography and Data Security, FC '10, volume 6052 of Lecture Notes in Computer Science, pages 175--191. Springer, 2010.
[25]
Our project site. http://aurora.q2s.ntnu.no/app.
[26]
Socialbakers -- Applications on Facebook. http://www.socialbakers.com/facebook-applications.
[27]
J. Tam, R. W. Reeder, and S. Schechter. I'm Allowing What? Disclosing the authority applications demand of users as a condition of installation. Technical report, Microsoft Research, 2010. MSR-TR-2010--54.
[28]
Watir -- Web Application Testing in Ruby. http://watir.com.
[29]
Web of Trust (WOT). http://www.mywot.com.
[30]
WhatApp? A Stanford Center for Internet and Society website. https://whatapp.org/.
[31]
D. M. Wilkinson. Strong regularities in online peer production. In Proc. of the 9th ACM conf. on Electronic commerce, EC '08, pages 302--309. ACM, 2008.

Cited By

View all
  • (2024)A First Look at Security and Privacy Risks in the RapidAPI EcosystemProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690294(1626-1640)Online publication date: 2-Dec-2024
  • (2023)"My privacy for their security"Proceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620438(3583-3600)Online publication date: 9-Aug-2023
  • (2023)Understanding the Inconsistencies in the Permissions Mechanism of Web BrowsersJournal of Information Processing10.2197/ipsjjip.31.62031(620-642)Online publication date: 2023
  • Show More Cited By

Index Terms

  1. Is this app safe?: a large scale study on application permissions and risk signals

        Recommendations

        Comments

        Information & Contributors

        Information

        Published In

        cover image ACM Other conferences
        WWW '12: Proceedings of the 21st international conference on World Wide Web
        April 2012
        1078 pages
        ISBN:9781450312295
        DOI:10.1145/2187836
        Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

        Sponsors

        • Univ. de Lyon: Universite de Lyon

        In-Cooperation

        Publisher

        Association for Computing Machinery

        New York, NY, United States

        Publication History

        Published: 16 April 2012

        Permissions

        Request permissions for this article.

        Check for updates

        Author Tags

        1. android apps
        2. application permissions
        3. chrome extensions
        4. facebook apps
        5. privacy

        Qualifiers

        • Research-article

        Conference

        WWW 2012
        Sponsor:
        • Univ. de Lyon
        WWW 2012: 21st World Wide Web Conference 2012
        April 16 - 20, 2012
        Lyon, France

        Acceptance Rates

        Overall Acceptance Rate 1,899 of 8,196 submissions, 23%

        Contributors

        Other Metrics

        Bibliometrics & Citations

        Bibliometrics

        Article Metrics

        • Downloads (Last 12 months)50
        • Downloads (Last 6 weeks)4
        Reflects downloads up to 01 Mar 2025

        Other Metrics

        Citations

        Cited By

        View all
        • (2024)A First Look at Security and Privacy Risks in the RapidAPI EcosystemProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690294(1626-1640)Online publication date: 2-Dec-2024
        • (2023)"My privacy for their security"Proceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620438(3583-3600)Online publication date: 9-Aug-2023
        • (2023)Understanding the Inconsistencies in the Permissions Mechanism of Web BrowsersJournal of Information Processing10.2197/ipsjjip.31.62031(620-642)Online publication date: 2023
        • (2023)Listening to Users' Voice: Automatic Summarization of Helpful App ReviewsIEEE Transactions on Reliability10.1109/TR.2022.321756672:4(1619-1631)Online publication date: Dec-2023
        • (2023)Nudging digital entrepreneurs: the influence of the Google Play Store top developer award on technological innovationInternational Journal of Entrepreneurial Behavior & Research10.1108/IJEBR-08-2022-072929:9/10(2110-2134)Online publication date: 17-Oct-2023
        • (2023)What Influences People’s Adoption of Cognitive Cybersecurity?International Journal of Human–Computer Interaction10.1080/10447318.2023.227941140:23(8295-8312)Online publication date: 12-Nov-2023
        • (2023)Use of Personal Data for Monetization Purposes: The Case of Mobile ApplicationsJournal of Economic Issues10.1080/00213624.2023.227312857:4(1095-1102)Online publication date: 14-Dec-2023
        • (2023)Predicting Privacy Decisions in Mobile Applications and Raising Users’ Privacy AwarenessResearch Challenges in Information Science: Information Science and the Connected World10.1007/978-3-031-33080-3_48(651-660)Online publication date: 23-May-2023
        • (2022)Wolf at the DoorProceedings of the 2022 ACM on Asia Conference on Computer and Communications Security10.1145/3488932.3523262(1139-1153)Online publication date: 30-May-2022
        • (2022)“Desperate Times Call for Desperate Measures”: User Concerns with Mobile Loan Apps in Kenya2022 IEEE Symposium on Security and Privacy (SP)10.1109/SP46214.2022.9833779(2304-2319)Online publication date: May-2022
        • Show More Cited By

        View Options

        Login options

        View options

        PDF

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader

        Figures

        Tables

        Media

        Share

        Share

        Share this Publication link

        Share on social media